back to article Marissa! Mayer! pulled! out! of! retirement! to! explain! Yahoo! hack! to! Senators!

Poor Marissa Mayer. After selling off Yahoo! and floating away on her golden parachute, she must have been looking for a nice rest. But US Congress wanted her to explain how every single user account on the portal got hacked. On Wednesday, she testified before the Senate Committee on Commerce, Science, and Transportation on …

  1. RichardEM

    Why are they talking to execs

    the people that will be able to really answer what happened and why are the programers and managers of the networks and software.

    The powers that be talk to the execs who really don't know what happened they just let the conditions that allowed it to happen exist.l

    1. Florida1920

      Re: Why are they talking to execs

      The only way these problems go away is if the execs know they will feel pain for not ensuring their data is secure. Programmers and managers are the means to that end, but they can't act without support from the top. How do you motivate an executive? Well, fear of incarceration is a good starting point. It sounds like some legislators haven't lost track of their balls and are threatening to write laws leading to that outcome.

    2. Anonymous Coward
      Anonymous Coward

      'Why are they talking to execs'

      You mean, just blame it all on 'one little guy'. That's exactly what Equifux tried to pull here. Not much 'security redundancy' there...

    3. Anonymous Coward
      Anonymous Coward

      'people that will be able to really answer'

      Seriously @RichardEM? . . . Dig a little deeper dude:

      https://www.theregister.co.uk/2016/10/04/yahoo_was_nsa_stooge/

      http://www.theregister.co.uk/2016/09/28/yahoos_security_shambles/

    4. chivo243 Silver badge
      Trollface

      Re: Why are they talking to execs

      "She said that there was little anyone could do about a state-sponsored attack."

      I have to agree, how informed can she be?

      Nelson wasn't keen on that response. What? no Ha ha?

    5. Anonymous Coward
      Anonymous Coward

      Re: Why are they talking to execs

      I'm the guy warning execs about problems and being told there's no money.

      I then risk assess it all and have them sign it off.

      It would be pointless dragging me in to explain the inaction of those I'm warning, but it would be productive to drag them in so they know they can be held accountable for their decisions and planning.

  2. Anonymous Coward
    Anonymous Coward

    "I want to sincerely apologize to each and every one of our user"

    "I want to sincerely apologize to our user"

    FTFY

    Dave passes his thanks but he's now using gmail so it's no biggy.

  3. Frank Gerlach #2

    Root Cause: HAIRBALL Systems Design

    Too many people in Software Engineering still think they need the latest and greatest third-party library in their projects. Nah - a dozen of them !

    So they have

    + TLS mumbo-jumbo, so complex nodboy gets it right (non exploitable bugs) for a decade.

    - OpenSSL with 400k Lines of Code and probably 10000 exploitable bugs. Nobody bothered to find them for a decade

    - Apache Struts with 280k Lines of Code and lots of exploitable bugs. Also, decade-old exploitable stuff in there.

    - Linux kernel with 11 million lines of Code and exploitable bugs in things like gethostbyname()

    So, what to do ?

    I suggest to radically rethink what we do and go for much leaner and easy-to-understand/easy-to-analyze systems. E.g.

    +seL4 OS(https://github.com/seL4/seL4) with just 40k lines of code ! Attempted correctness proof.

    +MST crypto library(https://github.com/DiplIngFrankGerlach/MST) with less than 1k lines of code at the core

    + INRIA CompCert C compiler(http://compcert.inria.fr/download.html) - 90k lines of code and correctness proven.

    And if that is "too technical" for the manager types, they should better educate themselves on the subject.

    1. Jim Mitchell

      Re: Root Cause: HAIRBALL Systems Design

      All software has bugs, some more than others. The problem here is that Equifax was running software they apparently did not know they were running. This is a process/management fail, not a software fail.

    2. Throatwarbler Mangrove Silver badge
      Meh

      Re: Root Cause: HAIRBALL Systems Design

      Great, you've got a 40,000 line microkernel. What software can I run on it?

      1. Doctor Syntax Silver badge

        Re: Root Cause: HAIRBALL Systems Design

        "What software can I run on it?"

        And what hardware can you run it on? If that were to run on the variety of H/W that Windows, Linux or BSD can run on there wouldn't be many lines of code per driver.

      2. AdamWill

        Re: Root Cause: HAIRBALL Systems Design

        And *yet another* crypto library. Because it's certainly helping that people keep writing new half-assed crypto libraries instead of contributing to improving the handful of ones that are actually used in all the real-world critical use cases.

    3. Trevor_Pott Gold badge

      Re: Root Cause: HAIRBALL Systems Design

      Something like WhiteSource can help developers make sure all their libraries are up to date. That's kind of it's job.

  4. This post has been deleted by its author

  5. Kevin McMurtrie Silver badge

    Another helpful step

    Lay off your abuse staff so you're not wasting money reading all those complaints about hacked accounts doing bad things.

  6. Anonymous Coward
    Anonymous Coward

    I want to sincerely apologize to each and every one of our users

    Marissa, you can just email that apology to my Yahoo account and all will be forgiven.

    1. Eddy Ito

      Re: I want to sincerely apologize to each and every one of our users

      How about she mail it from her Yahoo account?

  7. Franco Silver badge

    Given that this is a woman who wouldn't PIN protect her phone, it's safe to say her attitude towards security is pretty lax

  8. Nolveys

    "People back home cannot understand how the CEO of Equifax and the CEO of Yahoo! walked away with $90m, or $27m, or possibly a quarter of a billion dollars in stocks – this is unfathomable to the average person,"

    We understand just fine. The corporations own the government and are thus above the law. Why spend money on security when there are no consequences?

  9. This post has been deleted by its author

  10. Anonymous South African Coward Silver badge

    So that golden parachute does not look golden anymore... more like gilded lead...

  11. x 7

    doesn't she look tired?

    definitely aged in the last 12 months

    1. Anonymous Coward
      Anonymous Coward

      Tired?

      Yeah, carrying around $27M is hard work!

  12. Aodhhan

    Let us not forget

    Why isn't the US Congress, along with every state legislature not pointing fingers at themselves?

    For years, information security bills have been killed because huge corporations contribute large amounts of money to their campaigns to make sure any security bill dies in committee.

    While I enjoy these theatrics by those in Congress who put on a performance worthy of an Emmy nomination, we all know at the end of the day, you will waggle your finger... then when the lights go out, take more money from these corporations to maintain the status quo.

    Bravo and shame on our elected officials.

  13. captain_solo

    I used to think that the solution was that executives should be responsible legally for customer data kinda like executives are responsible for customer money in financial services accounts, but then, the government doesn't hold those turds responsible either and there are laws in that context already they are just not enforced except for cases where the big guys want a competitor taken out and use their bought and paid for government stooges to get it done.

    Until the government isn't completely complicit in the rapine of customer information from domestic corporate networks for their own dubious and possibly evil purposes, they have no credibility to hold private executives to account.

    Also, look at the security history of the legislative branch, a bunch of whom had some really sketchy foreign nationals running a small business looking after their IT while also perpetrating a variety of real estate scams and offshoring a bunch of cash to Pakistan...nothing to see here folks, move along.

  14. shawnfromnh

    Well when you do a diversity hire and the person in charge of security is a music major then your PC culture is probably going to bite you and your customers right in the ass. Hell anyone here on this comment section would be a better person for security director than who they hired, not me but the rest of you are definitely on your games when it comes to this stuff.

    1. Anonymous Coward
      Anonymous Coward

      not me but the rest of you

      Not me, either. Security Director is one of the two IT jobs - the other being Help Desk - I could never, ever do, God bless them.

  15. JWLong

    Why Ask Her!

    She's just a corporate MONKEY!

    She's already been payed, up front................

    Fuck the government, the corps control that.

    So, she goes and talks, and makes sorry..............

    So what does that do!

    NOTHING!

    And YaHoo gets bought out.......The government agrees....... and there's no liability!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020